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Response to Amendment 

This office action is responsive to Applicant's amendment received on 6/6/2008. 
Claims 105-107, 109-118 and 127-167 were pending in the application. Claims 106, 
116, 157-158, 160-161 and 167 have been canceled. Claims 105, 107, 115, 118, 127- 
128, 135-139, 142-143, 145, 147-148, 152, 155, 159 and 164 have been amended. 
Therefore, claims 105,107, 109-115, 117-118 and 127-156, 159, 162-166 are now 
pending in this application. 

Response to Arguments 

Applicant's arguments with respect to claims 105-107, 109-1 18, and 127-167 
have been considered but are moot in view of the new ground(s) of rejection. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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Claims 105, 107, 115, 117-118, and 127-167 are rejected under 35U.S.C. 
103(a) as being unpatentable over Kouznetsov, (U.S. Patent No. 6,973,577), in view of 
Chess et al., (U.S. Patent No. 6,772,346 and Chess hereinafter). 

Regarding claims 105, 115, 117, 127-128, 151-152, and 159-167, Kouznetsov 
discloses a computer-implemented method comprising: 

selecting an active program on a computer system as code under investigation 
(i.e., wherein code under investigation is each of the incoming system calls 91,92, and 
93 generated by the applications 33, 34, and 35 (shown in figure 2))), wherein 
the program is running on the computer system in a manner that permits the program to 
infect the computer system (col. 5, lines 18-65 and col. 6, lines 1-30); and 

and successively executing each of the first and second plurality of detection 
routines (i.e., static analyzer 52 and dynamic analyzer 53)(col. 4, lines 47-58), wherein 
said executing includes: 

applying the detection routine to the code under investigation to obtain a result, 
weighting such result to obtain a score indicative of whether the code under 
investigation has characteristics and/or behaviors typically associated with malicious 
code (i.e., static analyzer 52 performs behavior checking and generates alerts and 
histograms only if patterns of suspicious events are observed. Dynamic analyzer 53 
analyzes histograms and identifies behavioral repetitions within the histograms which 
indicate behavior characteristic of a computer virus/compromise)(col. 4, lines 38-67 and 
col. 5, lines 1-7); 
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using the score (i.e., tine results indicated by static analyzer 52 and dynamic 
analyzer 53) to categorize the code under investigation with respect to the likelihood of 
the code under investigation compromising the security of the computer system (i.e., 
computer viruses are self-repllcating program code which often carry malicious and 
sometimes destructive payloads and "malware" can include Trojan horses, hoaxes, and 
spam mail - col. 1, lines 45-48)(col. 5, lines 18-67 and col. 6, lines 1-30); 

using the score to categorize the code under investigation with respect to the 
likelihood of the code under investigation compromising the security of the computer 
system (i.e., computer viruses are self-replicating program code which often carry 
malicious and sometimes destructive payloads and "malware" can be categorized in the 
following: Trojan horses, hoaxes, and spam mail - col. 1, lines 45-48)(col. 5, lines 18-67 
and col. 6, lines 1-30). 

Kouznetsov does not explicitly disclose a weighing functionality that 
scores/determines the monitored events/code under investigation as valid/non- 
malicious code. 

However, Chess discloses applying a detection routine to the code under 
investigation to obtain a result, weighting such result to obtain a first score indicative of 
whether the code under investigation has characteristics and/or behaviors typically 
associated with malicious code with valid code (i.e., files determined to be non- 
malicious)(col. 5, lines 55-67 and col. 6, lines 1-21), and applying a second detection 
routine to the code under investigation to obtain a second result, weighting such second 
result to obtain a second score indicative of whether the code under investigation has 
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characteristics and/or behaviors typically associated with malicious code (col. 6, lines 
19-29); 

Chess further discloses upon completing the executing of the first and second 
plurality of detection routines, using the first and/or second scores to categorize the 
code under investigation with respect to the likelihood of the code under investigation 
compromising the security of the computer system (i.e., the filtering step may include 
the steps of determining whether a file contains known malicious code that is correctly 
handled by an existing protection definition)(col. 5, lines 55-67 and col. 6, lines 1-35). 

Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time of applicant's invention to modify teachings of Kouznetsov with teachings of 
Chess because it would allow scoring/determining the monitored events/code under 
investigation as valid/non-malicious and invalid/malicious code as disclosed by Chess. 
One of ordinary skill in the art would have been motivated by the suggestion of Chess to 
filter out undesirable mails (i.e., files) from client inboxes (Chess, col. 9, lines 23-30). 

Regarding claims 107 and 118, Kouznetsov discloses the method of claim 105, 
further comprising: 

selecting an active program on a computer system as code under investigation 
(i.e., wherein code under investigation is each of the incoming system calls 91,92, and 
93 generated by the applications 33, 34, and 35 (shown in figure 2))), wherein 
the program is running on the computer system in a manner that permits the program to 
infect the computer system (col. 5, lines 18-65 and col. 6, lines 1-30); and 
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and successively executing eacli of tine first and second plurality of detection 
routines (i.e., static analyzer 52 and dynamic analyzer 53)(col. 4, lines 47-58). 

Regarding claim 129, Kouzentsov discloses the method of claim 105, further 
comprising: 

determining from the score (i.e., repetitions of suspicious behavioral patterns) 
that the code under investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 
63-67 and col. 7, lines 1-10). 

Chess discloses determining from the scores (i.e., matches between code under 
investigation and the records of database 210 of known non-malicious files or the 
records of database 220 of known malicious code descriptions) that the code under 
investigation is malicious code (col. 6, lines 5-35). 

Regarding claim 130, Kouzentsov discloses the method of claim 129, wherein 
the malicious code does not have a known signature (i.e., a knowledge of specific, pre- 
identified computer viruses would not be necessary because behavioral patterns typical 
of computer viruses are observed. An example of malicious code with unknown 
signature is polymorphic viruses)(col. 2, lines 1-2 and lines 21-29). 

Regarding claim 131, Kouzentsov discloses the method of claim 105, wherein 
the detection routine examines the behavior of the suspicious code under investigation 
(i.e., static analyzer 52 performs behavior checking and generates alerts and 
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histograms, wherein "behavior checl^ing" is monitoring the occurrence of an event from 
the events list and dynamic analyzer 53 analyzes histograms and identifies behavioral 
repetitions within the histograms which indicate behavior characteristic of a computer 
virus, wherein such histograms are not know virus signatures associated with any 
virus)(col. 4, lines 47-67 and col. 5, lines 1-6). 

Regarding claim 132, Chess discloses the method of claim 131, wherein the 
detection routine examines the behavior of the valid and suspicious code under 
investigation (col. 5, lines 55-67 and col. 6, lines 1-29). 

Regarding claim 133, Kouzentsov discloses the method of claim 105, wherein 
the detection routine is not specific to the code under investigation (col. 4, lines 15-37). 

Regarding claims 135, 142 and 147, Chess discloses the method of claim 105, 
wherein the determination is made from the first and second scores that the code under 
investigation is valid code (i.e., files determined to be non-malicious)(col. 5, lines 55-67 
and col. 6, lines 1-21). 

Regarding claim 138, Kouzentsov discloses the method of claim 105, wherein 
determination is made from the score that the code under investigation is suspicious 
code, wherein suspicious code has not been determined to be either valid or malicious 
code (i.e., the categories of the events that are monitored, e.g., events 1-9, col. 5, lines 
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25-40 may or may not be malicious depending on tine repetitions of suspicious 
behavioral patterns ... the observed group of suspicious events could "potentially" be 
malicious)(col. 4, lines 38-67 and col. 5, lines 1-67 and col. 6, lines 1-30). 

Regarding claim 139, Kouzentsov discloses the system of claim 127, further 
comprising program Instructions executable by the processor to: 

determining from the score (i.e., repetitions of suspicious behavioral patterns) 
that the code under investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 
63-67 and col. 7, lines 1-10). 

Regarding claims 140, 160, and 161, Kouznetsov discloses the system of claim 
139, wherein the malicious code is a previously unknown malicious code (i.e., a 
knowledge of specific, pre-identified computer viruses would not be necessary because 
behavioral patterns typical of computer viruses are observed. An example of malicious 
code with unknown signature is polymorphic viruses)(col. 2, lines 1-2 and lines 21-29). 

Regarding claim 142, Chess discloses the system of claim 127, further 
comprising program instructions executable by the processor to: 

determine from the first and second scores that the code under investigation Is 
valid code (i.e., files determined to be non-malicious)(col. 5, lines 55-67 and col. 6, lines 
1-21). 
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Regarding claims 144 and 149, Kouzentsov discloses the system of claim 127, 
further comprising program instructions executable by the processor to: 

determining from the score that the code under investigation is suspicious code 
(i.e., the categories of the events that are monitored, e.g., events 1-9, col. 5, lines 25-40 
may or may not be malicious depending on the repetitions of suspicious behavioral 
patterns ... the observed group of suspicious events could "potentially" be 
malicious)(col. 4, lines 38-67 and col. 5, lines 1-67 and col. 6, lines 1-30). 

Regarding claim 145, Kouzentsov discloses the memory medium of claim 128, 
further comprising program instructions executable to: 

determining from the score (i.e., repetitions of suspicious behavioral patterns) 
that the code under investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 
63-67 and col. 7, lines 1-10). 

Chess discloses determining from the scores (i.e., matches between code under 
investigation and the records of database 210 of known non-malicious files or the 
records of database 220 of known malicious code descriptions) that the code under 
investigation is malicious code (col. 6, lines 5-35). 

Regarding claim 146, Kouzentsov discloses the memory medium of claim 145, 
wherein the malicious code is a previously unknown type of malicious code (i.e., a 

knowledge of specific, pre-identified computer viruses would not be necessary because 
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behavioral patterns typical of computer viruses are observed. An example of malicious 
code with unknown signature is polymorphic viruses)(col. 2, lines 1-2 and lines 21-29). 

Regarding claim 147, Kouzentsov discloses the memory medium of claim 128, 
further comprising program instructions executable to: 

determine from the first and second scores that the code under investigation is 
valid code (i.e., static analyzer 52 performs behavior checking and generates alerts and 
histograms only if patterns of suspicious events are observed )(col. 4, lines 38-67 and 
col. 5, lines 1-40). 

Regarding claims 134, 136, 137, 141, 143, 148, 150, 153-158, and 162-166, 
Kouzentsov discloses determining from the score (i.e., repetitions of suspicious 
behavioral patterns) that the code under investigation is malicious code (col. 5, lines 43- 
58 and col. 6, lines 63-67 and col. 7, lines 1-10). 

Chess further discloses wherein the determination that the code under 
investigation is malicious code is based on the first score not exceeding a valid code 
threshold value (i.e., matches between code under investigation and the records of 
database 210 of known non-malicious files) and the second score exceeding a 
malicious code threshold value (i.e., matches between code under investigation and the 
records of database 220 of known malicious code descriptions)(col. 6, lines 5-35). 
Chess further discloses clustering files within each classification by using a code- 
similarity metric to determine the similarity of the possibly-malicious code in each file to 
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the corresponding code in tine otiier files and grouping togetlier those files which are 
closest according to the metric (col. 7, lines 33-46). 

Regarding claim 149, Kouzentsov discloses the memory medium of claim 128, 
further comprising program instructions executable to: 

determine from the first and second scores that the code under investigation is 
suspicious code (col. 4, lines 38-67 and col. 5, lines 1-40). 

Claims 109-114 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Kouznetsov, (U.S. Patent No. 6,973,577), in view of Chess et al., (U.S. Patent No. 
6,772,346 and Chess hereinafter), in further view of Hill et al., (U.S. Patent No. 
6,088,804 and Hill hereinafter). 

Regarding claims 109-1 14, Kouznetsov discloses the method of claim 105, 
wherein the malicious code includes monitoring software (i.e., events such as system 
calls having the ability to monitor system input/output activities are monitored)(col. 5, 
lines 18-67 and col. 6, lines 1-30). 

Chess discloses wherein the malicious code can include computer viruses, 
worms, or Trojan Horses (col. 3, lines 51-53). 
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Hill further discloses that security event types may include destructive virus, 
snooping virus, worm, Trojan Horse, FTP requests, and network overload (col. 5, lines 
59-61). 

It would have also been obvious to a person of ordinary skill in the art at the time 
of applicant's invention to modify the combined teachings of Kouznetsov and Chess 
with teachings of Hill because it would allow to categorize the code under investigation 
(i.e., simulated attacks - wherein a simulated attack includes at least one of security 
event types) with respect to the likelihood of the code under investigation compromising 
the security of the computer system as disclosed by Hill. One of ordinary skill in the art 
would have been motivated by the suggestion of Hill to provide knowledge of severity 
and overall nature of attack (Hill, col. 2, lines 45-60). 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Arezoo Sherkat whose telephone number is (571 ) 272- 
3796. The examiner can normally be reached on 8:00-4:30 Monday-Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571 ) 272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding tine status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Arezoo Sherkat/ 
Patent Examiner 
Group 2131 
August 29, 2008 

/Ayaz R. Sheikh/ 

Supervisory Patent Examiner, Art Unit 2131 



